It doesn’t even matter what your intention was. I will be very curious to see Microsoft’s response!
Once seen only in the shadows of the war against organized crime, the Federal Wiretap Act should now be moving steadily and rapidly toward the top of the corporate compliance checklist. Robust civil remedies, recent court decisions and technological developments have transformed the act’s risk profile from a non-event to a statute worthy of significant attention.
Under the act, an aggrieved party can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys’ fees and costs. Comparing recent class action litigation involving security breaches with potential class actions involving the Federal Wiretap Act demonstrates the significantly pro-plaintiff aspect of this remedial scheme.
To date, the vast majority of security breach class actions have been dismissed, or resolved in the defendant’s favor on summary judgment, because the plaintiff failed to plead or prove that the security breach at issue proximately caused any cognizable damage to class members.
By contrast, under the Federal Wiretap Act, proof that the violation proximately caused cognizable harm is unnecessary, and each individual plaintiff can recover a minimum of $10,000 even in the absence of actual damages.
Courts have consistently rejected claims by employees seeking to apply this statutory language to an employer’s review of stored e-mail, holding that an “interception” under the act requires the acquisition of the content of an e-mail contemporaneously with transmission, not in storage. Because e-mail, by its very nature, cannot easily be acquired in transmission, this line of authority seemed to insulate employers from the act’s rich remedial scheme.
A recent decision by the 7th U.S. Circuit Court of Appeals, however, has raised the specter of substantial civil liability for unlawful interceptions despite extant precedent in the area. In U.S. v. Szymuszkiewicz, the court affirmed the criminal conviction for Federal Wiretap Act violations of an IRS agent who, unbeknownst to his supervisor, activated the supervisor’s Microsoft Outlook “autoforwarding” feature.
As a result, duplicates of the supervisor’s e-mail were automatically forwarded to the IRS agent without the supervisor’s knowledge or consent. The IRS agent received a sentence of 18 months’ probation.
The 7th Circuit’s decision is significant for employers because corporate IT departments commonly use Outlook’s autoforwarding feature. IT departments, for example, routinely activate this feature after an employee has left an organization, or when an employee is on an extended leave of absence, so that a supervisor or co-worker can promptly respond to e-mail intended for the employee.
E-mail journaling is a basic tool of electronic discovery as it permits the automated preservation of e-mail. E-mail journaling is particularly useful for preserving the e-mail of an employee who is unaware that he is the target of an investigation because e-mail journaling eliminates the need for the target of the investigation to be involved in preservation efforts.
Activating Microsoft’s autoforwarding feature is just one way that employers can effectuate an interception of e-mail under the Federal Wiretap Act. Increasingly sophisticated e-mail monitoring programs are capable of capturing e-mail content in real-time.
At least two domestic relations cases, for example, have held that one spouse unlawfully intercepted another spouse’s e-mail or internet chat by installing SpectorSoft software, a commercially available real-time monitoring program, on the other spouse’s personal computer. Although statistics are not publicly available, a significant number of corporate IT departments likely have installed SpectorSoft or similar real-time, e-mail monitoring products.
Because consent to an interception by one party to a communication is a defense to liability under the Federal Wiretap Act, employers can reduce the risk of liability by providing employees with notice of the IT processes that constitute an interception and obtaining their express or implied consent.
Revising the employee handbook and using a splash screen or similar warning may not, however, be enough.
Corporate counsel should encourage IT leaders routinely to communicate how and when the corporate IT department is intercepting employees’ e-mail. Corporate counsel can then analyze whether the existing policy provides sufficient notice to establish consent to the interception and, if not, can revise the existing notice or provide individualized notice to targeted employees.
Employers can satisfy this all-party consent requirement in the context of telephone monitoring by distributing a telephone monitoring policy to their own workforce and notifying incoming callers by automated means that their call will be monitored. In the context of e-mail, however, notifying the sender that his e-mail will be intercepted may not be technically feasible.